Twelve months after their initial WiFi revelations, researchers at KU Leuven have found that some Krack fixes were flawed and WiFi’s official defense could be bypassed.
Following last year’s discovery of the key reinstallation attack (Krack) vulnerability affecting devices using the WPA2 wireless protocol, most vendors updated their products – but in certain cases attacks were still possible, security researcher Mathy Vanhoef has confirmed.
Twelve months after coming forward with their initial findings, Vanhoef and fellow KU Leuven academic Frank Piessens have published a fresh white paper indicating that some vendor mitigations against Krack were flawed, leaving devices open to selected attacks.
The team also discovered new techniques to bypass the WiFi protocol’s official defense against Krack, allowing an adversary to replay broadcast and multicast frames.
Refining the attack
First, says Vanhoef, he was able to make it easier to exploit the four-way handshake of Android, macOS, and OpenBSD, by generating an encrypted – rather than plaintext – handshake message to trigger the key reinstallation.
“As a result, an adversary no longer has to rely on hard-to-win race conditions to exploit vulnerable implementations of the four-way handshake,” he says.
The Fast Initial Link Setup (FILS) and Tunneled direct-link setup PeerKey (TPK) handshake are also vulnerable to key reinstallations, he says. However, this isn’t as much of a problem as it sounds, as the FILS handshake isn’t yet being used in practice, and the vulnerability in the TPK handshake has already been patched.
More seriously, says Vanhoef, the WiFi standard’s official countermeasure can be bypassed.
“The official defense states that a device shouldn’t reinstall an already in-use key,” he explains. “However, this defense can by bypassed by first letting the victim install a new key, to then let it reinstall an old key.”
Last but not least, says Vanhoef, the researchers discovered several implementation-specific key reinstallation vulnerabilities while inspecting patches and open source code.
Even after the patches that prevent the Krack attack, for example, macOS reused the SNonce during rekeys of the session key. Meanwhile, iOS didn’t properly install the integrity group key.
“We believe the main reason vulnerabilities are still present is because the WiFi standard is large, is continually being expanded with new features, and requires domain-specific knowledge to understand,” he says.
“These obstacles can be overcome by having high-level descriptions - or formal models - of all security-related features of WiFi. This would make it easier to reason about its design, and test the correctness of implementations. Additionally, we believe the WiFi Alliance should not only test products for interoperability, but also fuzz them for vulnerabilities.”
WPA3 – the magic number?
Unfortunately, WPA3 won’t fix all these problems. The latest version of the wireless protocol – currently being rolled out around the world – still uses the four-way handshake, albeit in combination with the new ‘Dragonfly’ handshake, and organizations will need to be rigorous when it comes to implementation.
However, Vanhoef is optimistic that WPA3 will represent a meaningful step forward.
“It’s possible that products will contain some bugs in their first release of WPA3,” he told The Daily Swig earlier this year. “But that’s not a big issue: companies will fix those, and in the end the security of users will be improved.”
Importantly, the KU Leuven team noted that most users should not be too worried by their latest research, and that the impact of replaying broadcast and multicast frames is low in practice.
“Our new paper and the results are not as serious as the original key reinstallation attacks,” they said. “Nevertheless, our research is a good reminder that patching vulnerabilities can be hard in practice, and that we must keep checking whether devices are properly updated.”